In April, I joined several of my Protiviti colleagues on a webinar hosted by The IIA’s Financial Services Audit Center. The two-hour session, titled Hot Topics in Compliance: Consumer Protection and Compliance Governance, focused on recent regulatory developments in consumer protection reforms related to the Dodd-Frank Act, including mortgage lending disclosures and debt collection practices.

It was a great session, packed with valuable information, especially Tom Giltrow’s take on the evolution of the Fair Debt Collection Practices Act, or FDCPA, and Todd Eaton’s explanation of the new consolidated mortgage loan disclosures (known as TILA-RESPA Integrated Disclosures, or TRID) that have replaced the familiar Truth in Lending and Good Faith Estimates and HUD Settlement Statement forms for consumer real estate loans.

I’ll say up front, as I said in the webinar, that regulatory compliance is an all-in responsibility that requires the engagement of all three lines of defense. Without standards and direction at the enterprise level, compliance management and consumer remediation tend to occur ad hoc, within individual business units or departments, which can result in inconsistent and potentially inadequate corrective and remedial actions.

In 2013, the Consumer Financial Protection Bureau (CFPB) published a bulletin outlining four expectations for what it calls “responsible business conduct”:

Self-policing – Robust self-monitoring mechanisms are needed to detect violations. From quality control, compliance monitoring and testing, to compliance reviews, complaint response and internal audit, as issues are identified, steps should be taken to evaluate root causes and what corrective actions and remediation might be necessary.

Self-reporting – Once an issue has been identified and internally evaluated or vetted by the organization, the CFPB expects that institutions self-report the issues, particularly for significant issues involving potential violations and consumer harm. Self-reporting is a difficult task for many institutions, but it is an important part of being transparent with the institution’s regulators when issues do arise.

Remediation – Institutions should take timely steps to detect and correct compliance issues, with an eye toward the implementation of robust, longer-term corrective actions. Consumers impacted negatively by an issue, whether financially or non-financially, should be remediated, and the redress should reasonably “make the customer whole.” This is also a difficult task, because the exact form of redress is often dictated by the circumstances rather than a clear legal or regulatory requirement. The appropriate course of action is often benchmarked against precedent, such as through public enforcement actions.

Cooperation – When it comes time to determine what actions, if any, to take against an institution, regulators have made it clear that affirmative credit will be reserved for those institutions that are forthcoming and transparent in working with them and law enforcement. The CFPB has stated that self-reporting and cooperation do not guarantee that the agency will not take action against an institution, but that the cooperative behavior will be viewed positively when a regulatory action does arise. Public CFPB enforcement actions have indeed borne this out.

Ultimately, the message here is that an institution’s response to a compliance issue or an adverse consumer issue can be more important than the issue itself. By focusing on root causes and timely corrective actions to address operational and technological deficiencies, and not getting bogged down in the specifics of an individual mistake or violation, organizations, with the help of their internal audit functions, can vastly improve issue resolution and governance, and possibly qualify for affirmative credit.

Our webinar was focused on internal audit and the implications of regulatory expectations and changes to compliance requirements on the internal audit function and on financial institutions broadly. Internal audit’s role in compliance issue resolution is varied – from, at minimum, ensuring that internal audit issues are tracked and resolved appropriately by the institution, to providing credible challenge to management’s overall compliance issue identification and resolution processes. Credible challenge might include review and validation of the effectiveness of the implemented corrective actions as well as the remediation provided to impacted consumers.

That’s plenty to think about for now. I hope you’ll join the conversation by sharing your thoughts in the comment section below.